hi everyone im trying to update all my code to make it a little more secure but came across a problem doing it im getting this error witch i have no idea why im thinking it has to do with the mysql_real_escape_string(strip_tags()) but could be wrong here is my code and the error im getting any help would be great as always thanks… (one more thing at line 5 in my code is this <title>Untitled Document</title>)
Error
[CODE]Error in query:
UPDATE list SET sendto = ’[email protected]’, subject = ‘blah blah blah’, message = ‘blah blah blah blah blah blah.’ WHERE id = ‘1’, And user = ‘ycpc55’
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘ And user = ‘ycpc55” at line 5
Time of Error: Saturday May 26, 2012, 20:20:32 EDT
my code:
[code=php]$checkbox = $_POST[‘checkbox’];
$sendto = mysql_real_escape_string(strip_tags($_POST[‘sendto’]));
$subject = mysql_real_escape_string(strip_tags($_POST[‘subject’]));
$message = mysql_real_escape_string(strip_tags($_POST[‘message’]));
$edit = mysql_real_escape_string(strip_tags($_POST[‘edit’]));
$user = mysql_real_escape_string($_SESSION[‘id’]);
if($edit){
for($i=0;$i<$count;$i++){
$edit_id = $checkbox[$i];
$sql = “UPDATE list SET
sendto = ‘{$sendto}’,
subject = ‘{$subject}’,
message = ‘{$message}’
WHERE id = ‘{$edit_id}’,
And user = ‘{$user}'”;
mysql_query($sql, $conn)
or die(‘Error in query:<br>’. $sql .'<br>’.mysql_error($conn).'<br>Time of Error: ‘.date(“l F j, Y, G:i:s T”));
}
if($result){
header(“Location: index.php”);
}
}
mysql_close();